Lately I noticed something strange. I configured an ISA server as reverse proxy for OWA. The customer demanded the ability for users to change their password through OWA. I configured the OWA listener with LDAPS authentication against the Active Directory and enabled the option to select “I want to change my password after logging on” like shown below.

I tested the environment by logging in and changing the password. Everything looks okay and the password is changed correctly. I tried some extra test. I opened another browser and tried to login with the old password, which succeeded. I could now login with the old and the new password.

Strange to me…..so I tried some more test. The customer is using an SSL portal with RADIUS authentication to the same Active Director. So I tried to log in with the old and new password. I guess you know the answer. It was possible to login with both password. Another test was login in to the network components, which also use RADIUS against the Active Directory. Again the test were positive.

The last test was login in on a workstation. With this test, I could only login in with the new password and not the old one. Strange to me…… After one hour I tried again, and this time it was only possible to login with the new password.

I guess there is some kind of period where you can use both password. Maybe someone noticed this before and knows more about it…